Why Are Databases So Hard To Secure? 

Sheeri Kritzer Cabral 

Database Administrator 

The Pythian Group, www.pythian.com 

cabral@pythian.com 
Shmoocon 2008 



f &i The 

\mX PYTHIAN 

^^ GROUP your database maestros 




THINK 



I want your balls! 



Ask for information 



Respect me, respect you 
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My Qualifications 

Guardium, www.guardium.com 



SA starting May 2001 



DBA starting Mar 2004 
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Caveat 



MySQL DBA 



Experience and familiarity with Oracle, SQL 
Server, Postgres, Sybase, DB2 but not an 
expert 
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Pythian's Qualifications 



sox 



HIPAA 



FDA (ORA/OE) 
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Pythian's Qualifications 



Credit Cards 
- PCI 

- PCI Gateway 



EPD (European Privacy Directive) 
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Pythian's Customers 



Western Union 



Palm Coast Data 



www.pythian.com/aboutUs/customers.html 
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But enough of this palaver! 



Let's get this show on the road 
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General Security 



Patch me if you can! 



Prevent Access 



Prevent meaningful knowledge 

- Encryption 

- Permissions 
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Securing a Network 



Physical Access/Isolation 



Authentication 



Traffic Shaping 

- Content 

- Volume 
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Securing an Operating System 



Authentication 



Firewall 



Installed programs 



• UserACLs 



\mX PYTHIAN 

^^ GROUP your database maestros 




rd 



Securing 3 m Party Applications 



Authentication 



Configuration 



Content shaping 



\mX PYTHIAN 

^^ GROUP your database maestros 




Securing Your Applications 



Authentication 



Configuration 



Be wary of user-entered data 

- Even if it's checked elsewhere 
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What is a Database? 



Structured collection of records 



Database usually means DBMS 

- Storage 

- Retrieval 

- Processing 
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Database Security In General 



Who is responsible? 



Designed to store information 

- even/especially sensitive information 

- varied information 

- related information 
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Database Security In General 

Information gained in one part can damage 
another 



Access points can be many 

- DBMS controls permissions 

- OS/Network/Apps control access 

- Applications control interfaces 
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Application Vulnerabilities 

Compromised interface 

- any data the interface can access might be 
compromised 

- encryption algorithms can be compromised 
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But how? 



(I'm glad you asked. ..otherwise I 
have to stand up here a long time 
while you throw shmooballs at me) 
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Auditing and Monitoring 

Prevention is one part of security 



Auditing - review and assess security 



Monitoring - alerting of security issues 
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Access Points 

Who can login? 

- Network, seeing traffic 

• http://forge.mysql.com/snippets/view.php7icN15 



- OS 



Data 
Logs 
Backups 
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Who Can Login? 



- Database 



From where? What can they do? 

What consequences can they bring about? 



- Data 



• ACLs on tables, columns, stored procedures 

• Can use VIEWs 

• What is sensitive? 
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GRANTing 
Access - Oracle 

CREATE USER username 

IDENTIFIED { BY password | EXTERNALLY | GLOBALLY AS 
'external name 1 } 

[ DEFAULT TABLESPACE tablespace ] 

[ TEMPORARY TABLESPACE { tablespace | 
tablespace_group_name } ] 

[ QUOTA { integer { K | M } ON tablespace } | UNLIMITED ] 

[ PROFILE profile ] 

[ PASSWORD EXPIRE ] 

[ ACCOUNT { LOCK | UNLOCK } ] 
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GRANTing 
Access - MySQL 

GRANT priv_type [(columnjist)] [, priv_type [(columnjist)]] ... 
ON [object_type] 

{tbl_name | * | *.* | db_name.* | db_name.routine_name} 
TO user [IDENTIFIED BY [PASSWORD] 'password'] 
[REQUIRE NONE | [{SSL| X509}] 
[CIPHER 'cipher' [AND]] [ISSUER 'issuer' [AND]] 

[SUBJECT 'subject']] [WITH with_option [with_option] ...] 
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GRANTing 
Access - Postgres 

CREATE USER name [ [ WITH ] option [...]] 



where option can be: 
SYSID uid 

CREATEDB | NOCREATEDB 
CREATEUSER | NOCREATEUSER 
IN GROUP groupname [, ...] 

[ ENCRYPTED | UNENCRYPTED ] PASSWORD 'password' 
VALID UNTIL 'abstime' 
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GRANTing 
Access - Microsoft SQL Server 

CREATE USER user_name 
[ { { FOR | FROM } 

{ 
LOGIN login_name | CERTIFICATE cert_name 

| ASYMMETRIC KEY asym_key_name 

} 

| WITHOUT LOGIN 

] 

[ WITH DEFAULT_SCHEMA = schema_name ] 
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Other ACL's 



Object access 



Password policies 



Roles 
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Who + Where? 



user@host 



Server firewall 



Network firewall 
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And that's just ACL's! 
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Speaking of Users 



Who owns the application user account? 



Who is responsible for that security? 
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What + How 



HI THIS IS 
YOOR SONS SCHOOL 
WERE HAVING 50HE 
COMPUTER TKXB.E 




oh, dear - do he 
break something? 




DID VW REALLV 

NWE YOUR SON 

TABLE SictJenis;— ? 



OH.YK L/TTLE 
BOBBY TABLES, 
WE CALL Hift. 
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ANDIHCPE 
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What + How 



Direct access 



Stored Procedures 
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Encryption 



DB = another phase 



Still a hard issue 
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Application Insecurities 



Code itself 



Connection information 



Numeric/guessable ids 

- index.php?id=743374 
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No Sex is Safe Sex 



"Safer" 



Risk assessment/management 



Orgy! 
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Liars 



Very little you can do 
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Good DB Security Books 

Implementing Database Security and Auditing, 
Ron Ben Natan 



Database Security and Auditing: Protecting 
Data Integrity and Accessibility - Hassan A. 
Afyouni 
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Easy to remember: 



cabral@pythian.com 



www.sheeri.com 
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